https://bz.apache.org/bugzilla/show_bug.cgi?id=61999
Bug ID: 61999
Summary: Setting maxSavePostSize=0 won't disable saving POST
data
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
The documentation for the Connector attribute "maxSavePostSize" says "Setting
the attribute to zero will disable the saving of POST data during
authentication.":
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
However, we tested this and maxSavePostSize=0 won't disable saving POST data.
Instead, it actually tries to save the data with limit 0, so if there is any
POST data, a 403 Forbidden is sent in the response.
Also, looking at the corresponding source code, there is no special handling
for ignoring POST data if maxSavePostSize is set to zero:
FormAuthenticator#saveRequest(Request request, Session session) creates a
ByteChunk with limit 0. When calling ByteChunk#append(byte src[], int off, int
len) we get to the flushBuffer() method which throws an IOException caught by
FormAuthenticator#doAuthenticate which then sends a 403 Forbidden.
There is only special handling for the case where maxSavePostSize is negative
(i.e. no limit).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
